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Abstract 

We revisit the SL synchronous programming model introduced by Boussinot and 
De Simone (IEEE, Trans, on Soft. Eng., 1996). We discuss an alternative design 
of the model including thread spawning and recursive definitions and we explore 
some basic properties of the revised model: determinism, reactivity, CPS translation 
to a tail recursive form, computational expressivity, and a compositional notion of 
J> ' program equivalence. 
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1 Introduction 

q ! In synchronous models the computation of a set of participants is regulated by a notion of 

instant. The Synchronous Language introduced in jH] belongs to this category. A program 
in this language generally contains sub-programs running in parallel and interacting via 
shared signals. By default, at the beginning of each instant a signal is absent and once it 
is emitted it remains in that state till the end of the instant. The model can be regarded 
as a relaxation of the Esterel model [Sj where the reaction to the absence of a signal is 
delayed to the following instant, thus avoiding the difficult problems due to causality cycles 
in Esterel programs. 

The model has gradually evolved into a programming language for concurrent appli- 
cations and has been implemented in the context of various programming languages such 
as C, Java, Scheme, and Caml (see, e.g., [TTH I2(J[ IT3] ). The design accommodates a dy- 
namic computing environment with threads entering or leaving the synchronisation space 
jH]. In this context, it seems natural to suppose that the scheduling of the threads is only 
determined at run time (as opposed to certain synchronous languages such as Esterel 
or Lustre). It appears that many typical "concurrent" applications such as event-driven 
controllers, data flow architectures, graphical user interfaces, simulations, web services, 
multiplayer games, are more effectively programmed in the synchronous framework. 

*Partially supported by ACI Securite Informatique CRISS. 
tLaboratoire Preuves, Programmes et Systemes, UMR-CNRS 7126. 
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The SL language was carefully designed to be compiled to finite state automata. Mo- 
tivated by the evolution of the language mentioned above, we consider a synchronous 
language including thread spawning, and recursive definitions (section [2} and we explore 
some basic properties of the revised model. First, we prove that the resulting language is 
deterministic and provide a simple static analysis that entails reactivity (section BJ). Sec- 
ond, we propose a continuation passing style translation to a more basic language of tail 
recursive threads (section HJ) . Third, we show that the language without signal generation 
has the same computational power as a class of 'monotonic' Mealy machines, while the lan- 
guage with signal generation is Turing equivalent (section^}. Fourth, we introduce a notion 
of contextual barbed bisimulation and characterise it via a suitable labelled bisimulation 
(section EJ). Some standard proofs are delayed to the appendix 1X1 

1.1 Related work 

This work is a continuation of pOj where we outline results and problems connected with 
the SL model 10 years after its proposal. A determinacy theorem was already stated in the 
original paper jS] with a similar proof based on the confluence of the 'small step' reduction. 
Of course, many other determinacy theorems occur in the literature on synchronous pro- 
gramming (cf., e.g., ^2j)- The static analysis technique for ensuring reactivity is inspired 
by previous work by the author E] where, roughly, the reactivity of a (tail recursive) 
SL model with data types is studied. The tail recursive SL model and the related CPS 
translation appear to be original. They arose out of an attempt to understand the relative 
expressivity of various synchronous operators such as await, when and watch. The results 
on the computational expressivity of the revised model, notably its characterisation via 
monotonic Mealy machine, were motivated by the compilation to finite state machines in 
the original SL proposal [Hj. Finally, there seems to be no previous attempt at develop- 
ing a compositional notion of bisimulation equivalence for the SL model in a CCS style. 
However a specific notion of bisimulation for 'closed systems' has been proposed recently 
in the framework of the work on non-interference for synchronous systems [Hj . 

2 The model 

In this section, we present a formalisation of the model which is largely inspired by the 
original proposition jS] and a recent survey We anticipate that in section 0] we will 
simplify the control structure by moving to a tail recursive model and in section El we will 
discuss an alternative presentation in the spirit of process calculi. 

2.1 Environments 

We assume a countable set S of signal names s,s',.... We suppose a subset Int = 
Input U Output of S of observable signal names representing input or output signals and 
such that S\Int is infinite. An environment E is a partial function from signal names to 
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boolean values true and false whose domain of definition dom(E) contains Int and such 
that S\dom(E) is infinite. 

2.2 Threads 

We denote with x a vector of elements xi, . . . ,x n , n > and with [_/_] the usual substi- 
tution. By default, bound names can be renamed. We denote with A(s),B(s), . . . thread 
identifiers with parameters s. As usual, each thread identifier is defined by exactly one 
equation A(x) = T where T is a thread defined by the grammar: 

T ::= | (T; T) || (emit s) \ (us T) || (thread T) | (await s) | (watch s T) \ A(s) 

and the signal names free in T are contained in {x}. Sometimes, some of the parameters 
(possibly all) are fixed and in these cases we will feel free to omit them. A thread is executed 
relatively to an environment which is shared with other parallel threads. The intended 
semantics is as follows: is the terminated thread; T; T is the usual sequentialisation; 
(emit s) emits s, i.e. sets to true the signal s and terminates, (us T) creates a fresh signal 
which is local to the thread T (s is bound in T) and executes T; (thread T) spawns a 
thread T which will be executed in parallel and terminates; (await s) terminates if the 
signal s is present and suspends the execution otherwise; (watch s T) allows the execution 
of T but terminates T at the end of the first instant where the signal s is present. The 
implementation of the watch instruction requires to stack the signals that may cause the 
abortion of the current thread together with the associated continuations. For instance, 
in (watch si (watch s 2 7i);T 2 );T 3 , we start executing T\. Assuming that at the end of 
the instant, the execution of T\ is not completed, the computation in the following instant 
resumes with T3 if s\ was present at the end of the instant, with T 2 if si was absent and s 2 
was present at the end of the instant, and with the residual of T±, otherwise. We point out 
that a thread spawned by the thread instruction, escapes the watch signals and the related 
continuations. 

2.3 Thread reduction 

A program P is a finite non-empty multi-set of threads. We denote with sig(T) (sig(P)) the 
set of signals free in T (in threads in P). Whenever we write (T, E), (P, E) it is intended 
that sig(T) C dom(E), sig(P) C dom(E), respectively. All reduction rules maintain the 
invariant that the signals defined in the thread or in the program are in the domain of 
definition of the associated environment. In particular, all signal names which are not 
in the domain of definition of the environment are guaranteed to be fresh, i.e., not used 
elsewhere in the program. Finally, we make the usual assumption that reduction rules are 
given modulo renaming of the bound signal names. 

We assume that sequential composition ';' associates to the right. A redex A is defined 
by the grammar: 

A ::= 0;T I (emit s) \ (us T) \ (thread T) \ (await s) \ (watch s 0) | A(s) . 
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An evaluation context C is denned by the grammar: 

C ::= [ ] J [ ]; T | (watch s C) | (watch s C); T . 

We have a canonical decomposition of a thread in an evaluation context and a redex whose 
proof is delayed to appendix IA.1I 

Proposition 1 (unique decomposition) A thread T ^ admits a unique decomposi- 
tion T = C[A] into an evaluation context C and a redex A. Moreover, if T = then no 
decomposition exists. 

The reduction relation (T, E) — > (T", E 1 ) is defined first on redexes by the rules (P1-7) 
and then it is lifted to threads by the rule (T§): 



CFi) 


(0;T,E) 


A (T, P) 




in) 


(emit s, E) 


^> (0, £[*rue/s]) 






(watch s 0, E) 


^(0,P) 




m) 


(us T, P) 


-^(P,P[/a/ S e/ S ]) 


if s ^ dom(E) 


(Ts) 


(A(s),P) 


-([s/x]P,P) 


if A(x) = T 


(Te) 


(await s, E) 


^(0,P) 


if P(s) = £nte 


(Tr) 


(thread T, E) 






(Ts) 


(C[A],P) 


^(C[V],E>) 


if (A, P) ^ (T', E' 



We write (T, P) j if P cannot be reduced in the environment E according to the rules above. 
We also say that (T, E) is suspended. An inspection of the rules reveals that (T, E) j if 
and only if T = or T = C[(await s)] with P(s) = false. Thus the await statement is the 
only one that may cause the suspension of a thread. The suspension predicate is extended 
to programs as follows (P, E) { if VP e P (T, P) [. 



2.4 Program reduction 

To execute a program P in an environment E during an instant proceed as follows: 

(1) Schedule (non-deterministically) the executions of the threads that compose it as long 
as some progress is possible according to the rule: 

(P U {JT}, P) (P U j]T'|} U P", E') if (T, E) —> (T', E') . 

We also write (P U {|T|}, P) ^ (P U {|P'|}, P') if (T, P) C (P, P'). 

(2) Transform all (watch s T) instructions where the signal s is present into the terminated 
thread 0. Formally, we rely on the function |_-Je defined on a multiset of suspended threads 
as follows: 

LPJ e = {\[T\e\T EP\} [0\ E = [T; P'J e = [T\ E ; V Lawait s\ E = (await s) 

if E(s) = true 

(watch s \T\e) otherwise 



[watch s T\ E 
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2.5 Trace semantics 



Finally, the input-output behaviour of a program is described by labelled transitions P 
P' where / C Input and O C Output are the signals in the interface which are present in 
input at the beginning of the instant and in output at the end of the instant, respectively. 
As in Mealy machines, the transition means that from program (state) P with 'input' 
signals / we move to program (state) P' with 'output' signals O. This is formalised by the 
rule: 

(P, E ItP ) A (P / , E% (P\ |,Q = {s E Output | E'(s) = true} 
Vl U > p J l° p, 

{true if s G / 

/aZse if s G (/rat U sig(P))\I 

undefined otherwise 

Note that in the definition of Ej p we insist on having all signals free in the program in the 
domain of definition of the environment and we leave the others undefined so that they 
can be potentially used in the rule (T4). A complete run of a program P is a reduction 

P P x l2 I^ 2 p 2 . . . w hich is either infinite or is finite and cannot be further extended. 
We define an extensional semantics of a program P, as the set tr(P) of (finite or infinite) 
words associated with its complete runs. Namely: 

tr(P) = {(I 1 /0 1 )(I 2 /0 2 ) ■••|/ i C Input, Oj C Output, P h ^ P 1 h £* P 2 ■ ■ ■ } (1) 



2.6 Derived instructions 

We may abbreviate (usi ■ ■ ■ (vs n T) ■ ■ ■ ) as {vsi, . . . ,s n T) and (thread T x ); • • • (thread T n ) as 
(thread T 1; . . . ,T n ). Table ^ presents some derived instructions which are frequently used 
in the programming practice. The instruction (loop T) can be thought as T;T;T; ■ ■ ■ . 
Note that in (loop T);T' , T' is dead code, i.e., it can never be executed. The instruction 
(now T) runs T for the current instant, i.e., if the execution of T is not completed within 
the current instant then it is aborted. The instruction pause suspends the execution of 
the thread for the current instant and resumes it in the following one. We will rely on 
this instruction to guarantee the termination of the computation of each thread within an 
instant (see section El). The instruction (present s T\ T 2 ) branches on the presence of a 
signal. Note that the branch T 2 corresponding to the absence of the signal is executed in 
the following instant and that we suppose s' £ sig(Ti) U sig(T 2 ). The instruction (Ti || T 2 ) 
runs in parallel the threads 7\ and T 2 and waits for their termination. Here we suppose 
that si, s 2 , s[, s' 2 sig(T\) U sig{T 2 ). 



2.7 Comparison with |8| 

The main novelty with respect to [S] is the replacement of loop and parallel composition 
operators with recursive definitions and thread spawning. We should stress that the en- 
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(loop T) 
(now T) 
pause 

(present s T x T 2 ) 



A where: A = T; A 

us (emit s); (watch s T) s ^ sig(T) 

us (now (await s)) 

us' (thread 

(now (await s); (thread Ti; (emit s'))), 
(watch s pause; (thread T 2 ; (emit s'))) 

i^Si, s 2 , Sj, s 2 (thread 

(watch s' x Ti; (loop (emit si); pause)), 
(watch s 2 T 2 ; (loop (emit s 2 ); pause)) ) 



! await s 



(await si); (emit si); 



await s 2 ); (emit s 2 J 



Table 1: Some derived instructions 



coding of the present and parallel composition operators do not correspond exactly to the 
operators in the original language. This is because the instructions T\ and T 2 are under 
a thread instruction and therefore their execution does not depend on watch signals that 
may be on top of them. If this must be the case, then we must prefix T\ and T 2 with suit- 
able watch instructions. The CPS translation discussed in section HI provides a systematic 
method to simulate the stack of watch signals. 

2.8 Cooperative vs. preemptive concurrency 

In cooperative concurrency a running thread cannot be interrupted unless it explicitly de- 
cides to return the control to the scheduler. This is to be contrasted with preemptive 
concurrency where a running thread can be interrupted at any point unless it explic- 
itly requires that a series of actions is atomic (e.g., via a lock). We refer to, e.g., [T7j 
for an extended comparison of the cooperative and preemptive models in the practice of 
programming. In its original proposal, the SL language adopts a cooperative notion of 
concurrency. Technically this means that a 'big step' reduction is defined on top of the 
'small step' reduction we have introduced. The big step reduction runs a thread atomically 
till it terminates or it suspends on an await statement. Programs are then evaluated ac- 
cording to this big step reduction. In particular, this means that the small step reductions 
cannot be freely interleaved. In the following, we will focus on the small step/preemptive 
semantics and neglect the big step/cooperative semantics for two reasons: (1) All main 
results (determinism, reactivity, CPS translation) are naturally obtained at the level of the 
small step/preemptive semantics and are then lifted to the big step/cooperative seman- 
tics. (2) The cooperative semantics goes against the natural idea of executing a program 
with parallel threads on a multi-processor where the threads run in parallel on different 
processors up to a synchronisation point. 
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3 Determinism and reactivity 



We consider two important properties a SL program should have: determinism and reac- 
tivity. While the first property is ensured by the design of the language (as was the case 
in the original language), we enforce the second by means of a new static analysis. 

3.1 Determinism 

It is immediate to verify that the evaluation of a thread T in an environment E is determin- 
istic. Therefore the only potential source of non-determinism comes from the scheduling of 
the threads. The basic remark is that the emission of a signal can never block the execution 
of a statement within an instant. The more signals are emitted the more the computation 
of a thread can progress within an instant. Of course, this monotonicity property relies on 
the fact that a thread cannot detect the absence of a signal before the end of an instant. 

Technically, the property that entails determinism is the fact that the small step re- 
duction is strongly confluent up to renaming. A renaming a is a bijection o on signal 
names which is the identity on the names in the interface Int. We introduce a notion of 
equality up to renaming: (i) T — a T' if there is a renaming a such that oT = T' and (ii) 
(T, E) = a (T", E') if there is a renaming a such that oT = T' and E = E' o a. In a similar 
way, we define P = a P' and (P,E) = a (P',E r ). We rely on equality up to renaming to 
define a notion of determinism. 

Definition 2 The set of deterministic programs is the largest set of programs D such that 
ifPeT>,lC Input, P P 1} and P ^ 2 P 2 then O x = 2 and P 1=a P 2 eV. 

In appendix IA.21 we show how to derive determinism from strong confluence by means 
of a standard tiling argument. 

Theorem 3 All programs are deterministic. 

3.2 Reactivity 

We now turn to a formal definition of reactivity. 

Definition 4 The set of reactive programs is the largest set of programs TZ such that if 
P £ 71 then for every choice I C Input of the input signals there are O, P' such that 

P ^ P' and P> e TZ. 

We can write programs which are not reactive. For instance, the thread A = (await s); A 
may potentially loop within an instant. Whenever a thread loops within an instant the 
computation of the whole program is blocked as the instant never terminates. In the pro- 
gramming practice, reactivity is ensured by instrumenting the code with pause statements 
that force the computation to suspend for the current instant. Following this practice, 
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we take the pause statement as a primitive, though it can can be defined as seen in sec- 
tion I2H3 This can be easily done by observing that a suspended thread may also have the 
shape C [pa use] and by extending the evaluation at the end of the instant with the equation 
[pause] e = 0. We introduce next a static analysis that guarantees reactivity on a code 
with explicit pause statements. 

We denote with X, Y, . . . finite multisets of thread identifiers and with I a label ranging 
over the symbols and |. We define a function Call associating with a thread T a pair 
(X, €) where intuitively the multi-set X represents the thread identifiers that T may call 
within the current instant and I indicates whether a continuation of T has the possibility 
of running within the current instant (£ = 0) or not (£ =j). As usual, 7Tj projects a tuple 
on the % component. 

Call(0) = Call(em\t s) = Ca//(await s) = (0, 0) Ca//(pause) = (0, j) 

Call(us T) = Ca//(watch s T) = Call(T) Call(A(s)) = ({\A\},0) 

Ca//(thread T) = (in(Call(T)), 0) Call{T x ; T 2 ) = Call(Ti); Call(T 2 ) 

where the operation ';' is defined on the codomain of Call as follows: 





(Y,0) 


(Y,i) 


(X,0) 


(X U Y, 0) 











We notice that this operation is associative. It is convenient to define the Call function 
also on evaluation contexts as follows: 

Call{[ ]) = Call{[ ]; T) = Call(T) 

Ca//(watch s C) = Call(C) Ca/Z((watch s C);T) = Call(C); Call(T) 

and observe the following property which is proved by induction on the structure of the 
context. 

Proposition 5 For every evaluation context C andthreadT, Call(C[T]) = Call(T); Call(C). 

We can now introduce a static condition that guarantees reactivity. Intuitively, to 
ensure the reactivity of a program P, it is enough to find an acyclic precedence relation on 
the related thread identifiers which is consistent with their definitions. Namely, we define: 

Cnst(P) = {A > B | A(x) = T equation for program P, B G ^{Call{T))} 

Theorem 6 A program P is reactive if there is a well founded order > on thread identifiers 
that satisfies the inequalities in Cnst(P). 

Proof. The order > on thread identifiers induces a well founded order on the finite multi- 
sets of thread identifiers. We denote this order with > m ,id- We define a size function sz 
from threads to natural number N as follows: 

sz(0) = sz(pause) = 0, sz(emit s) = s^(await s) = sz(A(s)) = 1, 
sz(vs T) = sz(watch s T) = sz(thread T) = 1 + sz(T), 8 z{T x \ T 2 ) = 1 + sz(T x ) + sz(T 2 ) 
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We denote with >i ex the lexicographic order from left to right induced by the order > m jd 
and the standard order on natural numbers. This order is well-founded. Finally, we 
consider the multi-set order > m induced by >i ex on finite multi-sets. Again, this order is 
well founded. Next, we define a 'measure' \x associating with a program a finite multi-set: 

fi(P) = {\(7r 1 (Call(T)),sz(T))\TeP$ . 

It just remains to check that the small step reduction decreases this measure. Namely, if 
p" 

(P, E) —> (P f , E') then fi(P) > m fi(P') U/x(P"), where the U is of course intended on multi- 
sets. We recall that in the multi-set order an element can be replaced by a finite multi-set 
of strictly smaller elements. We proceed by case analysis on the small step reduction. 

• Suppose the program reduction is induced by the thread reduction: 

(C[A],E)^(C[T],E) . 

where A has the shape 0; T', emit s, us X", await s, or watch s 0. In these cases the first 
component does not increase while the size decreases. 

• Suppose the program reduction is induced by the thread reduction: 

(C[(thread T)],E) ^ } (C[0],E) . 

Assume Call(T) = (X,£) and CalliC) = (Y,f). By proposition El we have: 

Call{C [thread T]) = CWZ(thread T); Call{C) = (A,0); (F,f) = (A U Y,£') 
Call(C[0]) = Call(0); Call(C) = . 

Thus the first component does not increase while the size decreases. 

• Finally, suppose the program reduction comes from the unfolding of a recursive definition 
A(x) = T: 

C[A(s)} ^ C[[s/x]T] . 
Assume Call(T) = (X,£) and Call(C) = (¥,£'). Then 

Call{C[A(s)]) = ({\A\} UY,£), Call{C[T\) = Call{T); Call{C) = {X, £)■ (Y, £') . 

By hypothesis, {\A\} > X. We derive that {\A\} U Y > m ,id X U Y > m ,u Y, and we notice 
that (A, £)■ (y, £') equals (A U F, £') if £ = and (A, 1), otherwise. □ 

Theorem IH1 provides a sufficient (but not necessary) criteria to ensure reactivity. 

Example 7 Theorem® provides a sufficient (but not necessary) criteria to ensure reac- 
tivity. Indeed, the precision of the analysis can be improved by unfolding some recursive 
equations. For instance, consider the thread A defined by the system: 

A = (watch si B); (emit Si);A 
B = (await s 2 ); (emit s 3 ); pause; B 
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If we compute the corresponding Call we obtain: 



Ca//((watch Sl B); (emit s 4 ); A) = ({|S|}, 0); (0, 0); ({|A|}, 0) = ({\A, 0) 
CW/((await s 2 ); (emit s 3 ); pause; B) = (0, 0); (0, 0); (0, |); ({|5|}, 0) = (0, 1) 

and obviously we cannot find a well founded order such that A > A. However, if we unfold 
B definition in A then we obtain (0, j); (0, 0); ({|A|}, 0) = (0, |), and the constraints are 
trivially satisfied. 



4 A tail-recursive model and a CPS translation 

We introduce a more basic language of tail recursive threads to which the 'high level lan- 
guage' introduced in section El can be compiled via a continuation passing style (CPS) 
translation. Tail recursive threads are denoted by t, t', . . . and they are defined as follows 

t ::= | A(s) | emit s.t \ us t || thread t.t | present s t b 

where A is a thread identifier with the usual conventions (cf. section |2j). Let b, b', . . . stand 
for branching threads defined as follows. 

b ::= 1 1 ite s b b 

Branching threads can only occur in the 'else' branch of a present instruction and they are 
executed only at the end of an instant once the presence or absence of a signal has been 
established. The small step thread reduction can be simply defined as follows: 

(*i) (emit s.t, E) X(t,E[true/s\) 

(t 2 ) (us t, E) ^ [t, E[false/s\) if s £ dom(E) 

(t 3 ) (A(s),E) ±([ S /x]t,E) ifA(x)=t 

(t 4 ) (present stb,E) X (t, E) if E(s) = true 

(t 5 ) (thread t'.t, E) ^ (t, E) 

The execution of the branching threads at the end of the instant is defined as follows: 

L0J B = [present s t b\ E = (| b\) E 

fl&iDij if E(s) = true 



]t\} E = t dites&i&ahs 



(\b 2 \) E if E(s)= false 



A program is now a finite non-empty multi-set of tail recursive threads and program reduc- 
tion is defined as in section YTM We can define the instructions pause and await in 'prefix 
form' as follows: 

pause. b = us present s b 

await s.t = A, where: A = present s t A, {s} = sig(t) U {s} . 

Determinism is guaranteed by the design of the language while reactivity can be enforced 
by a static analysis similar (but simpler) than the one presented in section 01 
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4.1 CPS translation 



We denote with e an empty sequence. The translation [_] described in table |2] has 2 
parameters: (1) a thread t which stands for the default continuation and (2) a sequence 
r = (s\,ti) ■ ■ ■ (s n ,t n ). If Si is the 'first' (from left to right) signal which is present then 
ti is the continuation. Whenever we cross a watch statement we insert a pair (s, t) in the 
sequence r. Then we can translate the await statement with the present statement provided 
that at the end of each instant we check (from left to right) whether there is a pair (s, t) 
in r such that the signal s is present. In this case, the continuation t must be run at the 
following instant. 

Some later versions of the SL language include a (when s T) statement whose informal 
semantics is to run T (possibly over several instants) when s is present. It is possible 
to elaborate the CPS translation to handle this operator. The idea is to introduce as an 
additional parameter to the translation, the list of signals that have to be present for the 
computation to progress. 

In the translation of a thread identifier, say, A^' T ^ (x,s r ) = [T](i,r) the identifier A^ t,T ^ 
takes as additional parameters the signal names free in (t,r). For the sake of readability, 
in the following we will simply write y4^ t,r )(x) and omit the parameters s'. 

It is important to notice that the translation associates with an equation A(x.) = T a 
potentially infinite family of equations A^' T \x) = |T](t,r), the index (t, r) depending on 
the evaluation context. However, whenever the evaluation contexts are 'bounded' in the 
sense described in the following section 14 .2[ only a finite number of indices are needed and 
the CPS translation preserves the finiteness of the system of recursive equations. 

Example 8 We compute the CPS translation of the thread A in example Q ( without un- 
folding). To keep the translation compact, we will use a slightly optimised CPS translation 
of the pause statement that goes as follows: 

[pause] (t, (si,ti) • • • (s n ,t n )) = pause.ite si h(- ■ ■ (ite s n t n t) • ■ ■) 

Then the translation can be written as follows: 



The translation is lifted to programs as follows: [P] = {|[T](0,e) | T G P|}. We show 
that a program generates exactly the same traces (cf. section I23|) as its CPS translation. 
To this end, it is convenient to extend the CPS translation to evaluation contexts as follows: 



Then we note the following decomposition property of the CPS translation whose proof is 
by induction on the evaluation context. 



£j(*i>n) 

emit s 3 . pause. ite si ti B' tl,Tl ' . 



ii = emit s 4 .A^ 

B(ti,n) = present s 2 t 2 (ite Si t x B^ 1 ^) 




(t,r) 

[C\(t,T • (8,t)) 

[C\(im,T),T-MT\(t,T))) 



[watch 5 C](t,r) 
[(watch s C);T\{t,r) 
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[0](t,T) 



t 



[Ti;T 2 ](t,r) 
[emit s]{t,r) 
[us T](t,r) 
[thread T](t,r) 



[T](£, r), where: s ^ 
thread [T](0,e).t 



emit s.£ 



[7i]([T 2 ](t,r),r) 



U sig(r) 



|watch s T](t,r) 
[await sj(t, r) 



present s f 6, where: r 
6 = (ite sx ti . . . (ite s m t, 

A^' T \s,s'), where: sig 



P1(t,r-(M)) 




K8)](t,T) 



Table 2: A CPS translation 



Proposition 9 For all C evaluation context, T thread, t tail recursive thread, r sequence, 



Definition 10 We define a relation 1Z between threads in the source and target language: 
Tilt if either (1) t = [T](0, e) or (2) T = Cfawait s], t = A, and A = [T](0, e). 

The idea is that T TZ t if t = [T](0, e) up to the unfolding of the recursive definition in 
the CPS translation of an await statement. The need for the unfolding arises when checking 
the commutation of the CPS translation with the computation at the end of the instant. 
Then, we show that the relation TZ behaves as a kind of weak bisimulation with respect 
to reduction and suspension and that it is preserved by the computation at the end of the 
instant. This point requires a series of technical lemmas which are presented in appendix 
IA.3I In turn, these lemmas entail directly the following theorem ITT1 

Theorem 11 Let P be a program. Then tr(P) = ir([P]). 

4.2 A static analysis to bound evaluation contexts 

The source language allows an unlimited accumulation of evaluation contexts. To avoid 
stack overflow at run time, we define a simple control flow analysis that guarantees that 
each thread has an evaluation context of bounded size. For instance, have this prop- 
erty: (i) the fragment of the language using loop rather than recursive definitions and (ii) 
programs where recursive calls under a watch are guarded by a thread statement such as 
A = (watch s pause; (thread A)). On the other hand, fail this property recursive definitions 
such as: (i) A = pause; A; B and (ii) A = (watch s pause; A). 

Let L = {e, n} be a set of labels. Intuitively, e indicates an empty evaluation context, 
while k indicates a (potentially) non-empty evaluation context. Sequential composition and 
the watch statement increase the size of the evaluation context while the thread statement 



[C[T]](t,T) = [T]([C](t,r)) . 
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resets its size to 0. Following this intuition, we define a function Call that associates with 
a thread and a label a set of pairs of thread identifiers and labels. 

Call(0, £) = CW/(await s, i) = CW/(emit s, £) = 0, Call(A, i) = {(A, £)}, 
Ca//(thread T, = Call(T, e), CW/(T i; T 2 , £) = Call{T x , «) U Ca//(T 2 , f), 

Ca/Z (watch sT,£) = Call(T, re) . 

Definition 12 (constraints) VKe denote with Cnst(P) the least set of inequality and 
equality constraints on thread identifiers such that for any equation A(x) = T m t/ie pro- 
gram P: (1) if(B,n) e Call(T) then A > B E Cnst(P) and (2) if(B,e) E Call(T) then 
A> B E Cnst(P). 

If y is a pre-order we define: (i) x ~ y if x y y and y y x and (ii) x y y if x y y and 
x ^ y. 

Definition 13 (satisfaction) We say that a pre-order y on thread identifiers satisfies 
the constraints Cnst(P) if: (1) A > B E Cnst(P) implies Ay B, (2) A > B E Cnst(P) 
implies Ay B, and (3) y is well-founded. 

We can now state the correctness of our criteria whose proof is delayed to appendix 
IA.4I The reader may check the criteria on example El 

Proposition 14 If there is a pre-order that satisfies Cnst(P) then the CPS translation 
preserves the finiteness of the system of equations. 

5 Expressivity 

In this section we present two basic results on the computational expressivity of the model. 
First, we show that reactive programs without signal generation are trace equivalent to 
monotonic deterministic finite state machines, modulo a natural encoding. Second, we 
notice that the combination of recursion and signal name generation allows to simulate 
the computation of two counter machines. Thus, unlike the original SL language, it is not 
always possible to compile our programs to finite state machines. 

5.1 Monotonic Mealy machines 

A monotonic Mealy machine is a particular Mealy machine whose input and output al- 
phabets are powersets and such that the function that determines the output respects the 
inclusion order on powersets. As for programs, we can associate with a monotonic Mealy 
machine a set of traces. 



13 



Definition 15 (monotonic Mealy machine) A finite state, deterministic, reactive, and 
monotonic Mealy machine (monotonic Mealy machine for short) is a tuple M = (Q, q , 1, O, Jq, 
fo) where Q is a finite set of states, q Q G Q is the initial state, I = 2 n , O = 2 m for n,m 
natural numbers are the input and output alphabets, respectively, /q : / x Q — > Q is the 
function computing the next state, and fo I x Q — > O is the function computing the 
output which is monotonic in the input, namely IC7 implies fo{X,q) C f (Y,q). 

Theorem 16 For every monotonic Mealy machine with input alphabet I = 2 n and output 
alphabet O = 2 m there is a trace equivalent program with n input signals and m output 
signals. 

Proof. The function /q(_, q) that for a given state q computes the next state as a function 
of the input can be coded as a cascade of ite's. The function fo{-, q) that for a given state 
q computes the output as a function of the input can be coded as the parallel composition 
of threads that emit a certain output signal if a certain number of input signals is present 
in the instant and do nothing otherwise. 

Next we develop some details. Let M = (Q, q a , I, O, /q, fo) with I = 2™ and O = 2 m be 
a monotonic Mealy machine. We build the corresponding program. We introduce signals 
Si,...,s n for the input and signals s[, . . . , s' m for the output. Moreover, we introduce a 
thread identifier q for every state q G Q. Given a state q, we associate with the function 
/q(_, q) : 2 n — > Q a branching thread b(q). For instance, if the function is defined by: 

/ Q ((l, 1), q) = gi , / Q ((l, 0), q) = q 2 , f Q ((0, 1), q) = q 3 , f Q ((0, 0), q) = q u 

then the corresponding branching thread is: 

b{q) = ite si (ite s 2 <?i q 2 ) (ite s 2 g 3 <?i) 

For every state q, we introduce an equation of the shape: 

q = Output(q). pause. b(q) (2) 

where Output(q) is intended to compute the output function f (-,q) : 2 n — > 2 m . To 
formalise this, we need some notation. Let X C {1, . . . ,n} denote an input symbol and 
j G {1, . . . , m}. By monotonicity, if X C Y and j G fo(X, q) then j G fo(Y, l)- Given a 
family of threads {t,-}j 6 j, we write thread jG jtj.i for the thread that spawns, in an arbitrary 
order, the threads tj and then runs t. Given a set of input signals {s±, . . . , Sk} and an 
output signal s'p we write await{si, . . . , Sk}.t for 

present si (■ • • (present s k t 0) • ■ ■ ) 

which executes t in the first instant it is run if and only if all the signals si, . . . , Sk are 
present, and terminates otherwise. No signals are emitted in the instants following the 
first one. With these conventions Output(q).t is an abbreviation for 

( threadxc{i,...,n}, jef (x,q) (await {s x \ x G X}. emit s'j) ). t 
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so that the explicit form for equation (J2J) is: 

q = ( thread X c{i,...,n}, jef (x >q ) (await {s x \ x e X}. emit s'j) ). pause. 6(g) . 



One may wonder whether our synchronous language may represent non-monotonic 
Mealy machines. The answer to this question is negative as long we adopt the encoding of 
the input above where 2 n input symbols are mapped to n signals. This fact easily follows 
from the monotonicity property of the model noted in section El However, the answer is 
positive if we adopt a less compact representation where n input symbols are mapped to 
n signals. 

Next we focus on the expressive power of the reactive programs we can write in the 
tail recursive calculus presented in section |U without signal generation but with general 
recursion and thread spawning. 

Theorem 17 For every reactive tail recursive program with n input signals and m output 
signals and without signal generation there is a trace equivalent monotonic Mealy machine 
with input alphabet 2 n and output alphabet 2 m . 

Proof. The construction takes several steps but the basic idea is simple: it is useless to 
run twice or more times through the same 'control point' within the same instant. Instead 
we record the set of control points that have been reached along with the signals that have 
been emitted and in doing so we are bound to reach a fixed point. 

We start with some preliminary considerations that allow to simplify the representation 
of programs. 

(1) Since there is no signal generation a program depends on a finite set S a of signal 
names. As a first step we can remove parameters from recursive equations. To this end, 
replace every parametric equation A(x) = t with a finite number of equations (without 
parameters) of the shape A s = [s/x]t for s ranging over tuples of signal names in S . 

(2) As a second step, we put the recursive equations in normal form. By introducing 
auxiliary thread identifiers, we may assume the equations have the shape A = t where 



We denote with Id the finite set of thread identifiers. 

(3) Because there is no signal name generation, we may simply represent the environment 
E as a subset of S and because the threads are in normal form we may simply represent a 
program P as a multi-set of identifiers in Id Q . The small step reduction of the pair (P, E) 
is then described as follows: 



□ 



t 
b 



| emit s.B | present s B b | thread B.B' 
A\\te sbb 




(PU {\B\},EU {s}) ifA = emits.P 

(P U {|P|}, E) if A = present s B b, s e 

(PU {|Pi,P 2 |},P) if A = thread B x .B 2 



E 
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Notice that in this presentation, the unfolding of recursive definitions is kept implicit. If 
the program is reactive we know that the evaluation of a pair (P, P) eventually terminates 
in a configuration (P' , P') such that if A G P' then either A = or A = present s B b and 
s ^ E' . The evaluation at the end of the instant [P'J.E' i s then a particular case of the 
one defined in section |H for tail recursive threads and produces again a multi-set of thread 
identifiers. 

(4) We now consider an alternative representation of a program as a set q of identifiers in 
Id Q . We define a small step reduction on configurations (q, E) as follows: 



Note that at each reduction step either the program q or the environment E increase strictly 
while the other component does not decrease. Consequently, this reduction process (unlike 
the previous one) necessarily terminates. The evaluation at the end of the instant is now 
defined as follows: 

[q\ E = {A G q | A = 0} U {§ty E I A G q, A = present s B b, and s <£ E} . 

Notice that q may contain, e.g., a thread identifier A such as A = emit s.B and that A is 
removed by the function \_-\e- 

(5) We now relate the two representations of the programs and the associated evaluation 
strategies where if P is a multi-set we let set(P) = {A | A G P} be the corresponding set 
where we forget multiplicities. 

Lemma 18 Suppose (Pi, Pi) (P n , E n ) with n > 1 and q = set (Pi U ■ • • U P n ). 



(1) If (P n ,E n ) — > (P n+ i,E n+ i) then either E n = E n+i and set(P n+ i) C q or (q,E n ) — > 
(q f , E n+1 ) and q' = set(Pi U ■ ■ • U P n+1 ). 

(2) // (q, E n ) -> (g', P n+1 ) ^en (P n , E n ) -> (P n+1 , P n+1 ) and </ = sei(Pi U ■ ■ • U P n+1 ). 

(3) If(P n ,E n ) I ffcen sei(LP„.J s J = LsJ^w- 

Proof. (1) By case analysis on the small step reduction for multi-sets. 

(2) By case analysis on the small step reduction for sets. Note that if the reduction rule 
is applied to A G q then necessarily A G P n . Indeed, if A G Pk and A Pk+i with k < n 
we can conclude that a reduction rule has been applied to A on the multi-set side and this 
contradicts the hypotheses for the firing of the rule on the set side. 

(3) We check that if A = and A G q then A G P n and that if A = present s B t, s £ E n 
and A G q then A G P n . □ 




(q U {A, B}, E U {s}) if A = emit s.B, (B £ q U {A} or s <£ E) 
(q U {A, B}, E) if A = present s56, s G P, B (£ q U {A} 

(g U {A, Pi, P 2 }, P) if A = thread Pi.P 2 , {Pi, P 2 } g g U {A} 



Then: 



(6) We define 



Closure(q,E) = (q',E') if (g, P) 
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The Closure operator is well defined because the reduction relation is strongly confluent 
and it always terminates. 

(7) As a final step, given a reactive program P in normal form with identifiers Id Q , n 
input signals s\, . . . , s n and m output signals s[, . . . , s' m , we build a trace equivalent mono- 
tonic Mealy machine M = (Q,q ,I,0, f Q , fo) as follows: Q = 2 Id °, q Q = set(P), I = 2 n , 
O = 2™, and (f Q (E, q), f Q (E, q)) = Closure^ E). □ 

By combining theorems EH and El we can conclude that the reactive programs we can 
write without signal generation are exactly those definable by monotonic Mealy machines 
modulo a natural encoding. 

5.2 Undecidability 

The following result can be used to show that various questions about the behaviours of 
programs are undecidable. The encoding idea is similar to the one presented for CCS in 
[TK] . The details are presented in appendix I A. 51 

Theorem 19 For any deterministic 2-counter machine there is a reactive program with 
signal generation that will eventually emit on a certain signal if and only if the computation 
of the 2-counter machine terminates. 

6 Program equivalence 

The formalisation of the SL model we have considered so far is close to an abstract machine. 
Typical symptoms include an ad hoc definition of a-renaming (cf. sectional), a global 
notion of environment, and the fact that roughly threads compose but do not reduce while 
programs reduce but do not compose. We introduce next an alternative description of the 
tail recursive model featuring a uniform notation for threads, programs, and environments. 
This alternative description is instrumental to the development of a notion of program 
equivalence based on the concept of bisimulation following a CCS style. The theory is 
built so that it does not depend on the determinacy of the language. Indeed practical 
extensions of the language have been considered where signals carry data values and the 
act of receiving a value may introduce non-determinism. A theory of program equivalence 
should be sufficiently robust to accommodate these extensions. 

6.1 Programs 

We extend the syntax of tail recursive threads so that it includes both environments and 
programs in a uniform notation. 

P ::= | emit s | present s P B \ P \ P \ us P \ A(s) 
B ::= P | ite s B B 
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We refrain from introducing syntax like 'emit s.P and 'thread P'.P which can be understood 
as syntactic sugar for (emit s) \ P and P' \ P, respectively. 



6.2 Actions and labelled transition system 

Actions are denoted by a, a', . . . and they are defined by the grammar: a ::— r | s \ s. We 
write s G a if a = s or a = s. We define a labelled transition system which is similar to 
the one for CCS except for a different treatment of emission which is persistent within an 
instant. Technically, (i) an emission behaves as a replicated output (rule (out)) and (ii) 
in the continuation of a present statement the tested signal is still emitted (rule (in)); this 
guarantees that the continuation can only evolve in an environment where the signal s is 
emitted. 1 

(out) : f : (in 



emit s — > emit s present s P B ^ P \ (emit s) 

(t) Pl ^ P[ T P2 ^ ^ (par) ■ Pl 7 P ) ■ 

{ ' P 1 \P 2 ^P[\ P' 2 V ' Pi\P 2 ^ P{ | P 2 

P^ P > s( £ a A(x) = P 

[v] — -tv 4tt— (rec) 



us P^us P' v ' A(s) A [ s /x]P 

As usual, we omit the symmetric rules for (par, r). We note the following properties of the 
labelled transition system where = stands for syntactic identity up to renaming of bound 
names. 

Proposition 20 (1) // P -A P' then P = P' . 

(2) If P A P and P A P> then P< -A P' . 

(3) IfP^P' then P< -A P> '. 



6.3 End of the instant 

We define the computation at the end of the instant while relying on the following notation: 
P — > • for BP' P — » P' and P [ for —>(P — > ■). Suppose P | and all bound signal names 
in P are renamed so as to be distinct and different from the free signal names. First, we 
compute the set of emitted signals S = Em(P) as follows: 

.Em (emit s) = {s}, Em(0) = Em(present s P B) = 0, 

Em(P 1 | P 2 ) = Em(Pi) U Em(P 2 ), Em(us P) = Em(P) . 

1 This is close in spirit, if not in the technical development, to Prasad's Calculus of Broadcasting Systems 
HH|; see also [TO]. 
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Second, we compute |_PJ = [P\Em(P) where we remove all emitted signals and compute 
the B branches relying on the auxiliary functions |_-Js and d_D,s defined as follows: 



Lemit s\ s = [0\s = 0, LP^sent s P B\ s = (|P|) S , 
[us P\ s = vs [P\ s , [Pi I P2J5 = lAls I lAls, 



One can verify that the function |_-J is invariant under «-renaming: if P 1 = P 2 then 



6.4 Barbed and contextual bisimulations 

As usual, we write P 4> P' for P(^)*P' and P 4> P 1 with a ^ r for P(^>)(A)(^)P'. 
Definition 21 We define: 



Obviously P \ implies P JJ- which in turn implies P J|l- The L-suspension predicate (L 
for labelled) plays an important role in the following definitions of bisimulation. 

Definition 22 A (static) context C is defined by C ::= [ \ C \ P \ us C . 

Proposition 23 Let P be a program. The following are equivalent: 



(2) There is a program Q such that (P \ Q) JJ.. 

(3) There is a static context C such that C[P] J|l. 

Proof. (1 2) Suppose P ^ P\ ■ ■ ■ ^ P n and P n [. We build Q by induction on n. 
If n — we take Q = 0. Otherwise, suppose n > 0. By inductive hypothesis, there is Qi 
such that (Pi I Qx) JJ.. We proceed by case analysis on the first action a±. We may assume 
ai is not an emission action for otherwise we can build a shorter sequence of transitions. 

(«! = r) Then we take Q = Qi and (P | Q\) — > (Pi | Q\). 



(cci = s) Let Q = (Qi I s). We have (P | Q) — > (Pi \ Qi \ s). Since Pi —> Pi, we observe 
that (P x I Q x ) | implies (P x | Qi | s) JJ.. 

(2 3) Take C = [ ] | Q. 

(3 =>• 1) First, check by induction on a static context C that P • implies C[P] ■. 
Hence C[P] j implies P |. Second, show that C[P] — > Q implies that Q = C"[P'] and 

either P = P' or P — > P. Third, suppose C[P] Qi • • • <3n with Q n |- Show by 



P JJ. if3P' P^P' 
PJk ifP% Pl ...* 



and P' I (weak suspension) 

P n , n > 0, and P n | (L-suspension) 



(1) P^L. 



19 



induction on n that P |Ll- Proceed by case analysis on the context C and the action a\. 
□ 

Interestingly, the second characterisation, shows that the L-suspension predicate can 
be defined just in terms of the r transitions and the suspension predicate. This means that 
the following definitions of barbed and contextual bisimulation can be given independently 
of the labelled transition system. 

Definition 24 (barbed bisimulation) A symmetric relation R on programs is a barbed 

bisimulation if whenever P R Q the following holds: 

(Bl) IfP^P' then 3Q' Q 4> Q' and P' R Q' . 

(B2) If P i then 3Q> Q^Q',Q' [,P R Q', and [P\ R [Q'\ . 

(B3) IfP 1 *- and PU then 3Q' Q^Q',Q' -A •, and P R Q' . 
We denote with ~# the largest barbed bisimulation. 

It is easily checked that is reflexive and transitive. A reasonable notion of program 
equivalence should be preserved by the static contexts. We define accordingly a notion of 
contextual bisimulation. 2 

Definition 25 (contextual bisimulation) A symmetric relation R on programs is a 
contextual bisimulation if it is a barbed bisimulation (conditions Bl-3) and moreover when- 
ever P RQ then 

(CI) C[P] R C[Q], for any context C. 

We denote with ~c the largest contextual bisimulation. 

Again it is easily checked that k, c is reflexive and transitive. By its very definition, it 
follows that Pm c Q implies C[P\ ^ c C[Q] and P ~ g Q. 

6.5 Labelled bisimulation 

Aiming at a more effective description of the notion of contextual bisimulation, we introduce 
a notion of labelled bisimulation. 

Definition 26 (labelled bisimulation) A symmetric relation R on programs is a la- 
belled bisimulation if it is a barbed bisimulation (conditions Bl-3) and moreover whenever 
P R Q the following holds: 

(LI) If P' = (P | S) i with S = emit s x | • • • | emit s n , n > then 3Q' (Q | S) 4> 
Q', Q' I P' RQ', and [P'\ R [Q'\. 

(L2) //PAP' then either 3 Q' ( Q 4> Q' and P' RQ') or3Q' ( Q 4> Q' and P' R (Q' \ 
emit s) ). 

We denote with ^ the largest labelled bisimulation. 

2 Hcre we adopt the notion of contextual equivalence introduced by for the 7r-calculus. An alternative 
approach is to consider a notion of barbed equivalence ^Hl- We refer to [5] for a comparison of the two 
methods. 
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Remark 27 (1) Condition (LI) strengthens (B2) therefore in the following proof the 
analysis of (B2) is subsumed by the one of (LI). To see the necessity of condition (LI), 
consider 

P = present s± (ite S2 (emit S3) 0) and Q = present s 2 . 

Then P {, Q |, and \_P\ = \_Q\ = so that conditions (Bl — 3) and (L2) are satisfied. 
However, if we plug P and Q in the context [ ] | (emit S2) then the resulting programs exhibit 
different behaviours. It is not difficult to show that condition (LI) can be optimised so that 
we only consider emissions on signals which are free in the programs under consideration. 
For instance, a simple corollary of this optimisation is that labelled bisimulation is decidable 
for programs without recursive definitions. 

(2) Condition (L2) has already appeared in the literature in the context of the asynchronous 
Ti -calculus J1J/. 

(3) There is no condition for the emission because by proposition Ef] condition (B3) is 
equivalent to the following one: 

ifpl+p' an d P' then3Q f ( Q 4> Q' and P' R Q' ). 

(4) The condition P JJ^ in (-B3) is always satisfied by reactive programs which are those 
we are really interested in. We will see in section \6.iA that thanks to strong confluence, 
the condition P -JJ-i can be replaced by the condition P JJ. or equivalently by the condition 
P {. However, one should keep in mind that there are non- deterministic extensions of 
the language where this identification fails and where moreover the definitions based on 
the weaker conditions PI or P |L lead to notions of labelled bisimulation which are not 
preserved by parallel composition. For this reason, our definitions of bisimulation are based 
on the L-suspension predicate. 

We can now state the main result of this section. 

Theorem 28 P ^ c Q iff P ^ L Q. 

We outline the proof argument which is developed in the following. First, we note 
that labelled bisimulation equates all programs which cannot L-suspend and moreover it 
never equates a program which L-suspends to one which cannot. Second, we introduce 
a notion of strong labelled bisimulation which is contained in labelled bisimulation. It is 
shown that strong labelled bisimulation satisfies some useful laws like associativity, com- 
mutativity, commutation of signal name generation, . . . Third, we develop a notion of 
labelled bisimulation up to strong labelled bisimulation that considerably simplifies rea- 
soning about labelled bisimulation. Fourth, we show that ~<7 is a labelled bisimulation up 
to strong labelled bisimulation so that P k, c Q implies P ~l Q. Fifth, we show that la- 
belled bisimulation is preserved by parallel composition with signal emission, it is reflexive 
and transitive, and it is preserved by signal name generation, parallel composition, and the 
present operator. In particular, it follows that ~^ is preserved by the static contexts, i.e., 
~l is a contextual barbed bisimulation and therefore P ~l Q implies P ~c Q- 
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6.6 Labelled bisimulation and L-suspension 

We observe some remarkable properties of the L-suspension predicate. 

Proposition 29 (1) I/-P J| L and \y L then P ~ ^ Q. 
(2) IfP^ L Q and P ij- L then Q JJ. L . 

PROOF. First we note the following properties: 

(A) By proposition [23 if (P | Q) 4l then P fy L . 

(P) By definition, if ^P ^ L and P A P' then -.P' JJ. L . 

(1) We show that {(P, Q) | ~P JJ-l an d -"Q 4l} is a labelled bisimulation. 
(PI) By (B), if ^P U and P A P' then -.P 7 Jj. L . 

(P3) The hypothesis is not satisfied. 

(LI) By (A), if ^P ^ L then -.(P | S) JJ. L . Hence -.(P | S) |. 

(L2) By (B), if -P -JJ-i and P A P' then -P' J|^. Then we match the transition with 
Q => Q and by (A) ->Q J| L implies ->(Q | (emit s)) JJ-l- 

(2) We proceed by induction on the shortest reduction such that P — > Pi ■ ■ • ^> P n and 
P n |. Note that in such a reduction no emission action s occurs (otherwise a shortest 
reduction can be found). If n — then (P2) requires Q =k- Q' and Q' |. Hence Q JJ-x,. 
If n > then we consider the first action a\. If oti = r then (PI) requires Q =>- Qi and 
Pi ~l Then Qi JJ-l by inductive hypothesis on P x . Hence Q JJ-l- If «i = s then we have 
to consider two cases. If Q =4* Qi and Pi ~^ Q\ then <5i JJ-l by inductive hypothesis on Pi. 
Hence Q JJ-l- If on the other hand Q =>■ Qi and Pi Qi | (emit s) then Qi | (emit s) JJ-l- 
Hence by (A) Qi JJ-l, and Q JJ-l. □ 



6.7 Strong labelled bisimulation and an up-to technique 

To bootstrap reasoning about labelled bisimulation, it is convenient to introduce a much 
stronger notion of labelled bisimulation. 

Definition 30 (strong labelled bisimulation) A symmetric relation R on programs is 
a strong labelled bisimulation if whenever P RQ the following holds: 

(51) P A P implies 3 Q' Q A Q> and P RQ'. 

(52) (P | S) I with S = (emit si) | • • • | (emit s n ), n>0 implies (P | S) R (Q | S) and 
LP | S\ R [Q | S\ 3 

We denote with =l the largest strong labelled bisimulation. 
3 The condition (Q \ S) | follows by (SI). 
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Note that in definition 1301 not only we forbid weak internal moves but we also drop the 
convergence condition in (P3) and the possibility of matching an input with an internal 
transition in (L2). For this reason, we adopt the notation =l rather than the usual ~z> 
We say that a relation R is a strong labelled bisimulation up to strong labelled bisimulation 
if the conditions (SI — 2) hold when we replace R with the larger relation (=l) ° R ° (=l)- 
Strong labelled bisimulation enjoys some useful properties whose standard proof is delayed 
to appendix IA.7I 

Lemma 31 (1) =l is a reflexive and transitive relation. 

(2) IfP= L Q thenP^ L Q. 

(3) The following laws hold: 

P\0= L P, Pi | (P 2 | P 3 ) =L (Pi | P 2 ) I P 3 , 

Pi I P2 =l P2 I Pi, us P 1 I P 2 = L us (P 1 I P 2 ) if si sig(P 2 ). 

(4) If P= L Q then P \ S = L Q \ S where S = Pi \ ■ ■ ■ \ P n and P = or P = (emit Si ), 
for i — 1, . . . , n, n > 0. 

(5) If R is a strong labelled bisimulation up to strong labelled bisimulation then (=l 
) o R o (=l) is a strong labelled bisimulation. 

(6) If P • then P = L P \ (emit s). 

(7) //Pi = L P 2 , then us P x = L us P 2 and P x \ Q = L P 2 | Q. 

We use strong labelled bisimulation in the context of a rather standard 'up to technique'. 

Definition 32 A relation R is a labelled bisimulation up to =l if the conditions (Bl — 3) 
and (LI — 2) are satisfied when replacing the relation R with the (larger) relation (=l 
)oRo(= L ). 

Lemma 33 Let R be a labelled bisimulation up to =l. Then: 

(1) The relation (=l) R (=l) is a labelled bisimulation. 

(2) IfPRQ thenP^ L Q. 

Proof. (1) A direct diagram chasing using the congruence properties of =l- 

(2) Follows directly from (1). □ 

6.8 Characterisation 

As a first application of the 'up to technique', we show that P ~c Q implies P ~l Q. 
Lemma 34 k-c is 0, labelled bisimulation up to =l. 
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Proof. Suppose P Q- We check conditions (LI — 2). 

(LI) Suppose S = (emit si) | ■ ■ • | (emit s n ) and (P | S) |. Since psc is preserved by 
parallel composition we derive P \ S ~c Q \ S. Then we conclude by applying condition 
(P2). 

(L2) Suppose P — > P'. By lemma . this implies P' =l P' | (emit s). Since ~c 
is preserved by parallel composition we know P | (emit s) k, c Q | (emit s). From this 
and the fact that P | (emit s) P' \ (emit s) condition (PI) allows to derive that 
Q | (emit s) =3> Q' \ (emit s) and P' | (emit s) m c Q' I (emit s). Two cases may arise: (1) 
Q A Q'. Then we have P' = L P' | (emit s) ^ c Qf | (emit s) = L Q'. (2) Q 4> Q'. Then we 
have P' =x P' | (emit s) t&c Q' I (emit s). In both cases we close the diagram up to =£. □ 

As a second application of the 'up to technique' we prove some desirable congruence 
properties of the labelled bisimulation (the proofs are delayed to appendix IA.8J) . Assume 
pause. B abbreviates us present s B for s ^ sig(B). We write B x ~ £ P 2 if pause. Pi ps^ 
pause. P 2 . 

Lemma 35 (1) If P ~l Q then P | (emit s) Q | (emit s). 

(2) T/ie relation ~l is reflexive and transitive. 

(3) IfP^ L Q then us P ^ L us Q. 

(4) //Pi ~£ P 2 tfien P x | Q ^ L P 2 | Q. 

(5) If P « L P' and B ^ L B' then present s P B ^ L present s P' B' . 

The lemma above entails that ~l is preserved by static contexts. Hence P ~l Q 
implies P ~c <5- This remark combined with lemma IM1 concludes the proof of theorem 
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6.9 Exploiting confluence 

We can easily adapt the trace semantics presented in section 1231 to the present context. If 
P is a program we write (II for the parallel composition): 

p */° pi if p | Pi ^ p// ; with Pj = TT sg/ s ; p" | ; = {s\ P" -4 •}, and P' = [P"\ . 

and we associate with P a set of traces tr(P) as in section |2~51 A general argument shows 
that labelled bisimulation is a refinement of trace equivalence. 

Proposition 36 If P ^ L Q then tr(P) = tr(Q). 

Proof. We observe that if P Q and P ^? P' then Q Q' and P' ^ L Q'. From this 
one can show that every trace in tr(P) is in tr(Q) and conversely. 

We recall that P ^ P' means P | P 1 4- P", with P/ = n se/ s, P" j, O = {s \ P" •}, 
and P' = [P"\. First, note that P ^ L Q implies P | P/ ~l Q | P/- If (P | P/) ^ P" 
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and P" | then by (PI) Q | Pf A Qi and P" ~ £, Q ± . Moreover, by (52), Q 1 A Q", Q" |, 
P" ^ L Q", and P' = [P"\ ^ L [Q"\ = Q'. By (S3), if P" A ■ then Q" A -, and conversely 
Thus Q 1 ^ Q'. □ 

Next, we recast the strong confluence result mentioned in section El in the following 
terms. 

Proposition 37 If P A P x and P A P 2 toera either P x = P 2 or3Pi 2 (Pi A P i2 and P 2 A 
P12). 

We now look at some additional properties that can be derived from the strong conflu- 
ence proposition E3 

Lemma 38 (1) If P A P u P A P 2; and ^P A ■ then 3P 12 P x A P 12 and P 2 A P 12 . 

(2) IfP^P'andP^- then P A P' . 

(3) If P ^ Pi, P ^ P 2 and Pi I i/ien Pi = P 2 . 

(4) IfP^Pi, P A P 2 , Pi I, and P 2 I tfcen Pi = P 2 . 

(5) IfP 1 ^ 1 Pi and P ^ 2 P 2 tfien Pi = P 2 and O a = 2 . 

PROOF. We just check (5). By (4), if P | P 7 A P[, P{ |, P \ Pi A P 2 , and P^ 1 then 
P[ = P 2 '. This forces Pi = [P{\ = [P 2 J = P 2 and Oi = 2 . □ 

The following proposition states an interesting consequence of confluence. 4 
Proposition 39 P Jjz, if and only if P J|. 

Proof. By definition, P Jj. implies P To show the other direction, suppose P 4l and 
let p ^ P 1 ■ ■ ■ A P n be a sequence of transitions of minimal length leading to a program 
P n such that P n j. We build a sequence of internal transitions r leading to a suspended 
program. First, we notice that the actions aj cannot be emission actions, otherwise a 
shorter sequence can be found. Second, we can assume that the last action a n is an 
internal transition r. Otherwise, if a n = s then either P„_i A ■ and then P n _i A P n by 
lemma l3*8T l) or -P n _i A • and then P n _i j contradicting the minimal length hypothesis. 
Let us now look at a sequence of transitions: 

P A P 1 A ■ • • A P n n > 2 . (3) 

where -P A ■ and -P |. Then we must have P A P' and by lemma IHHT 1 ) there is a P{ 
such that P' A P[ and Pi A P[. By the confluence properties and lemma IH%T 3). P[ A P n 
in n — 2 transitions r. Thus we have the following sequence of transitions: 

P A P' A P[ A P n (4) 



One can conceive non-deterministic extensions of the language where the proposition fails. 
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The number of r transitions that follow the s transition is n — 1 in Q and n — 2 in Pj). 
By iterating this reasoning, the input transition s is eventually removed. Moreover, the 
argument is extended to a sequence of transitions containing several input actions by sim- 
ply removing the input actions one after the other proceeding backwards. □ 

In view of proposition EH the hypothesis P can be replaced by the hypothesis P JJ. 
in condition (B3). Now consider an alternative definition where the hypothesis P JJ^ is 
replaced by the hypothesis P j. We refer to this condition as (B3)^, call the resulting notion 
of bisimulation {-labelled bisimulation, and denote with the related largest bisimulation. 

Proposition 40 «L=~i- 

This is a direct consequence of the following lemma whose proof is delayed to appendix 

Lemma 41 (1) If P ^ L Q then P Q. 

(2) The relation is reflexive and transitive. 

(3) IfP^Q then P^ L Q, P & l L Q, and tr{P) = tr(Q). 

(4) is a labelled bisimulation. 

We rely on this characterisation to show that bisimulation and trace equivalence col- 
lapse; an expected property of deterministic systems. To this end, we note the following 
properties of trace equivalence whose proof is given in appendix IA. 101 

Lemma 42 (1) If tr(P) = tr(Q) then tr(P | (emit s)) = tr(Q | (emit s)). 
(2) 1Z = {(P,Q) | tr(P) = tr(Q)} is a labelled bisimulation. 

From proposition 1361 and lemma 14*27 2). we derive the collapse of trace and bisimulation 
equivalence. 

Theorem 43 P Q if and only if tr(P) = tr(Q). 

7 Conclusion 

Motivated by recent developments in reactive programming, we have introduced a revised 
definition of the SL model including thread spawning and recursive definitions. The revised 
model is still confluent and therefore deterministic. We have proposed a simple static 
analysis that entails reactivity in the presence of recursive definitions and characterised 
the computational power of the model with and without signal generation. Moreover, we 
have identified a tail recursive core language which is built around the present operator and 
whose justification comes directly from the basic design principle of the SL model. The 
simplification of the model has been instrumental to the development of a compositional 
notion of program equivalence. In further investigations, we plan to extend this approach 
to a Synchronous Language including data values and name mobility. 
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A Proofs 



A.l Proof of proposition [T] 

By induction on the structure of T assuming ';' associates to the right. If T = then 
clearly no decomposition is possible. If T 7^ is a redex then take C — [ ] and observe 
that no other context is possible. If T has the shape A;T" then take C = [ ];T". If T 
has the shape (watch s T") and T' ^ then by inductive hypothesis we have a unique 
decomposition T' = C'[A'] and the only possible decomposition for T is obtained by 
taking C = (watch s C) and A = A'. Finally, if T = (watch s T');T" and T ^ then by 
inductive hypothesis we have a unique decomposition T' = C'[A'} and the only possible 
decomposition for P is obtained by taking C = (watch s C); T" and A = A'. □ 

A. 2 Proof of theorem [HI 

First we notice that the notion of reduction, suspension, and evaluation at the end of an 
instant can be defined up to renaming. 

Proposition 44 Suppose (Pi,Ei) — a (P2,E2). Then the following holds. 



(1) // (P u P x ) ^ (P{, E[) then (P 2 , E 2 ) % (i* E' 2 ) and (P{ U P{', E[) = a {P> 2 U P», E' 2 ). 

(2) (P l9 E x ) I if and only if (P 2 , E 2 ) |. 

(3) //(Pi, Pi) I &en |Pi_k =a lAk- 
Proof. (1) By case analysis on the reduction. 

(2) Suppose Ti = Cjfawait s,] for i = 1,2 and a is a renaming such that o~T\ = P 2 and 
Pi = P 2 o a. Then check that (Pi, Pi) J. if and only if (P 2 , P 2 ) |. 

(3) Suppose (Pi, Pi) = a (P 2 ,P 2 ) and (Pi, Pi) j. Proceed by induction on the structure of 
Pi. □ 

Then we check the strong confluence lemma from which determinism follows. 

Lemma 45 (strong confluence) If(P,E) % {P{,E[), (P, P) (P 2 ,P 2 ) ; and (P{U 
P{',E[) ^ a (P^UP^',P 2 ) then there exist P", P 2 , P{ 2 , E 12 , P^, P21 such that (P[, E[) ^ 



(P{ 2 , E 12 ), (P 2 ', P 2 ) ^4 (i*, P 2i ) ; and (i* U P» U P 2 , P 12 ) = a (P^ U J*' U P", E 21 ). 



Proof. It is convenient to work with a pair (P, P) such that all bound names are distinct 
and not in dom(E). It is then possible to close the diagram directly taking P 2 = P 2 , P 1 = 




We can then derive the initial statement by repeated application of proposition 



□ 
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A. 3 Proof of theorem 1111 

First, it is useful to note the following commutation of substitution and CPS translation. 
Lemma 46 [s/x][T](t,r) = [[s/x]T](t,r), assuming {x} n sig(t,r) = 0. 

Lemma 47 Suppose T 1Z t, and (T,E) — > (T',E r ). Then T = C[A] for some context C 
and redex A and exactly one of the following cases arises. 

(1) A ::= 0;T" | (watch s 0). Then P = 0, E = E' , and t = [T](0,e) = [T'](0,e). 

(2) A ::= thread T" . Then P = {\T"\}, E = E' , and (t,E) = ([T](0, e), E) UT '%° M 
([T'](0,e),£). 

(3) A ::= emit s \ us T" \ A(s). Then P = and (t, E) = (|T](0, e),E)^ ([T'](0, e), E'). 

(4) A ::= await s and t = [T](0,e). Then P = ®, E = E' , and (t,E) ^ ({T'}(0, e) , E) . 

(5) A ::= await s and t = A where A = [T](0,e). Then P = E = E' , and (t,E)(^> 

).(4)(tn(o,€),E). 

Proof. We denote with 7Ti,7T2 the first and second projection, respectively. 
(1) IfA = 0;Tthen 

[C[0;T]](0,e) 

= [0; T1([C](0, e)) (by proposition E> 
= [T] ( [C] (0, e) ) (by CPS definition) 
= [Cp1](0,e) (by proposition ED . 

If A = watch s let (t, r) = [C](0, e). Then 



[C[watch s 0]](0,e) 

= [watch s 0](£, r) (by proposition EJ) 

= [0](t, r • (s, t)) (by CPS definition) 

= t (by CPS definition) 

= [0](t, r) (by CPS definition) 

= [C[0]](0,e) (by proposition EJ) . 



(2) We observe: 



[C[thread T"]](0,e) 

= [thread T"]([C](0,e)) (by proposition EJ) 

= thread [T"](0, e). 7 r 1 ([C](0, e)) (by CPS definition) 

= thread [T"](0, e).[0]([C](0, e)) (by CPS definition) 

UT"¥0M |C[ ]](0, e ) (by (i B ) and propositionED 

(3) The cases where A = (emit s) or A = (i^s T) are straightforward. Suppose A = A(s). 
Assume (t, r) = [C](0, e), s^(t, r) = {s'} and A(x) = T with {x} n {s'} = 0. We consider 
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the equation y4^ ,T )(x) = [T](£, r) where we rely on the convention that the parameters s' 
are omitted. Now we have: 

[<7L4(s)]](0,e) 

= [^(s)]([C](0, e)) (by proposition EI) 
= A^ T \s) (by CPS definition) 

± [s/x,s'/s'] [T](t,r) 

= [[s/x]T](£, r) (by substitution lemma 

= [[s/x]T]([C](0,e)) 

= [C[[s/x]T]](0, e) (by proposition EJ. 



(4) We observe: 



await s]](0,e) = [await s]([C](0, e)) = present s t b 



where t = 7n([C](0,e)) = [C[0]](0,e) and (present s t 6, E) ^ (t,E). 

(5) First unfold A(s) and then proceed as in case (4). □ 

Thus if T 1Z t and T reduces then t can match the reduction and stay in the relation. 
The proofs of the following three lemma l4*H | l4T) | and EH rely on similar arguments. First, 
we analyse the situation where t reduces. 

Lemma 48 Suppose T IZt, and (t, E) (t' ', E'). Then T = C[A] and exactly one of the 
following cases arises. 

(1) A ::= await s and t = A where A = [T](0,e). Then p = 0, E = E' and T K if. 

(2) A ::= await s and t = [T](0,e). Then p = 0, E = E' , and (T, E) A (T',E) with 
i' = [T'](0,e). 

(3) A ::= th 

f = cn(o,c). 

(4) A::= 
t'=[T'](0,6). 

(5) A ::= 0;T" || (watch s 0). T/ien p = $, E = E' , t = [T](0,e) (T,E) ^ (T',E), 
t = [T'](0, e) ; and T" smaller than T. 

Thus ii T TZ t and t reduces then T can match the reduction and stay in the relation. 
In the worst case, the number of reductions T has to make is proportional to its size. This 
is because case (5) shrinks the thread. 

Lemma 49 IfTlZt and (T, E) j then exactly one of the following cases arises. 

(1) t=[T](0,e). Then(t,E)i. 

(2) T = C[await s], t = A, and A = [T](0,e). Then (t,E) ^ ([T](0, e), E) and 
([T](0,e),£)|. 



(3) A ::= thread T" . Then p = fl[T"](0,e)|}, E = E' , and (T, E) ^ (T',E) with 

(4) A ::= emit s \ us T" || A(s). Then p = 0, t = [T](0,e), and (T,E) A (T', E') with 
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Thus if T 7Z t and (T, E) is suspended then (t, E) is suspended too possibly up to an 
unfolding. 

Lemma 50 IfTIZt and (t, E) { then t = [T](0, e) and exactly one of the following cases 
arises. 

(1) T = orT = <7[await s] and (T, E) j. 

(2) T = C[A], A ::= 0;T" || (watch s 0). T/jen (T, £) A (C[0],£) and t = [C[0]](0,e). 

Thus if T 1Z t and (t, E) is suspended then (T, i£) is suspended too possibly up to the 
reduction of redexes 0; T" or (watch s 0). Again the number of these reductions is at most 
proportional to the size of T. Next we look at the computation at the end of the instant. 

Lemma 51 If Tilt, (T, E) [, and (t,E) j then \T\ E 1Z \t\ E . 

Proof. Exactly one of the following cases arises. 

(1) T = t = 0= [T\ E = [t\ E . 

(2) T = C[await s], t — [T](0, e). We have to explicit the structure of t and relate it to the 
structure of the context. First, we notice that the context C can be written in the general 
form 

C = (watch si ■ • • (watch s n [ ]U n+1 )U n ■ ■ ■ )U\ 

where Ui ::— e \ ; Tj so that the presence of Ui is optional. Then we claim that t can be 
written as: 

t = present s i n+ i(ite si ti ■ ■ ■ (ite s n t n A) ■ ■ ■ ), A — t 
where ti is defined inductively as follows: 



*0 


= o, 












To 


= e 












U+i 


-{ 


[Ti + i](U,Ti) 

ti 


if Ui+i — ; Ti+i 
otherwise 


for i 


= 0,.. 


.,n 


Ti+l 


= Ti 


■ ti+l) 




for i 


= 0,.. 


. , n — 1 



In particular, we have [C](0, e) = (t n +i,r n ). Now two subcases can arise. 

(2.1) E(si) = ■ ■ ■ = E(s n ) = false. Then \T\ E = T and \t\ E = A so that thanks to the 
second clause in the definition of 1Z we have [T'Js'^-L^Js- 

(2.2) E(si) = ■ ■ ■ = E(si-i) = false and E(si) = true. Then 

[T\ E = (watch si ■ • ■ (watch s^ U t )U t ^ ■ ■ ■ )U X , and [LTJ E ](0, e)=U=[t\ E . □ 

To summarise, we have shown that the relation TZ acts as a kind of weak bisimulation 
with respect to reduction and suspension and that it is preserved by the computation at 
the end of the instant. Note that the relation 1Z is immediately extended to programs 
in the source and target language by saying that the source program P is related to the 
target program p if there is a bijection % between the threads in P and those in p such that 
if ?(T) = t then Tilt. 
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Lemma 52 Suppose P IZp. Then for every environment E: 

(1) If(P,E)(-+)*(P',E') and(P',E') | then for some p' (p, £)(-»)*(p', E'), (p',E') I, and 

lP'\ E >n \p'\e>- 

(2) Vice versa, if (p, E)(-*)*(p', E') and {p' , E') [ then for some P' (P, E)(-*)*(P', E'), 
(p',E f ) i, and [P'\ E/ K\p'\ E ,. 

From lemma 15*2*1 we derive that if P TZ p then tr(P) = tr(p) and in particular that 
tr(P) = ir([P]) as required. 

A. 4 Proof of proposition 1141 

Let X be a finite set of thread identifiers. We define its depth as the length of the longest 
descending chain with respect to y. Consider an equation. A(x) = T. The function 
Call(T, e) implicitly associates a label t G {e, k] with every occurrence of a thread identifier 
in T. Next consider a related equation A^ t,T ^{x) = |T](t,r) and an occurrence of a thread 
identifier B in T. Two situations may arise: (1) The label associated with the occurrence 
of B is k and then A y B. (2) The label associated with the occurrence of B is e and then 
Ay B and moreover the index (t', r') of B in the CPS translation is either (0, e) or (t, r). 

Then to compute the system of recursive equations associated with the CPS translation 
proceed as follows. First, compute the equations of 'index' (0,e), i.e., those of the shape 
A {0 ' e \x) = [71(0, e) and collect all the thread identifiers A^' t) occurring on the right 
hand side with an index (t, r) different from (0,e). Continue, by computing the equations 
yl(*' r ) = [T](£, r) for the new indexes (t,r). Then collect again the identifiers with new 
indexes. At each step the depth of the finite set of thread identifiers with new indexes 
decreases. Thus this process terminates with a finite number of recursive equations. □ 

A. 5 Proof of theorem 1191 

We start by describing the simulation of simple deterministic push down automata. The 
empty stack is represented by the symbol Z. The stack alphabet has only one symbol S. 
A configuration of an automaton is a pair (q, S ■ ■ ■ SZ) composed of a state and a stack, 
and its possible transitions are: 



We introduce as many thread identifiers as states. Each of these thread identifiers has 
parameters inc, dec, zero, ack which we omit. Depending on the instructions associated 
with the state, we introduce one of the following equations: 




(q,w) i ^ (q',Sw) 
(q, Sw) i ► (q',w) 



(increment) 
(decrement) 

(test zero) 



q = (emit inc); (await ack); pause; q' (increment) 
q = (emit dec); (await ack); pause; q' (decrement) 
q = (present zero (pause; q') q") (test zero) 
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Note that the control starts at most one operation per instant and that it waits for the 
completion of the operation before proceeding to the following one. 

Next we represent the stack. This is similar to what is done, e.g., in CCS jTH]. We 
abbreviate with s a vector of 5 signals dec, inc, zero, ack, abort. A thread Z depends on 
such a vector for interactions on the 'left'. A thread S (or S + , S r , Si) depends on a pair of 
vectors s, s' for interactions on the 'left'and on the 'right', respectively. 

Z(s) = (watch abort (emit zero); 
(present inc 

(emit ack); pause; (vs' (thread S(s, s'), Z(s'))) 
(thread Z(s)))) 



S(s,s') = (thread 

(watch dec (await inc); pause; (thread S + (s,s'))), 
(watch inc (await dec); pause; (thread iSV(s, s')))) 

S+(s,s') = (us" (emit ack); (thread S(s,s"), S(s" ,s'))) 

S r (s,s') = (present zero' (emit abort'); pause; (emit ack); Z(s) 
(emit dec'); «S/(s, s') 

Si(s, s') = (await ack'); pause; (emit ack); S(s, s') 

A configuration (q,S ■ ■ ■ SZ) of the automaton is mapped to a program which is essentially 
equivalent to: (us , . . . , s n (thread q(s ), S(s , Si), . . . , S(s n _i, s n ), Z(s n ))). It is not difficult 
to check that the program can simulate the transitions of the automata (and this is all 
we need to check since the program is deterministic!). The more complex dynamics, is 
introduced by the decrement. Roughly, the decrement of a stack represented by the threads 
S, S, S, Z goes through the following transformations: 

S, S, S, Z — » S r , S, S, Z — > Si, S r , S, Z — » Si, Si, S r , Z — > Si, Si, Z — ► Si, S, Z — > S, S, Z 

There is a wave from left to right that transforms S into Si, when the wave meets Z, 
it aborts Z, transforms the rightmost S into Z, and produces a wave from right to left 
that turns 5*; into S again. The simulating program can be put in tail recursive form via 
the CPS translation. In particular, note that all recursive calls in the scope of a watch are 
under a thread statement that has the effect of resetting the evaluation context. Finally, we 
remark that the simulation of deterministic push down automata can be easily generalised 
to deterministic two counters machines by simply letting the control operate on two distinct 
stacks. □ 

A. 6 Proof of proposition 1201 

(1) By induction on the proof of P A P'. 
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(2) If P A ■ then P has the shape D [emit si for a suitable context D built out of restrictions 
and parallel compositions. It is easily checked that after a transition the emission emit s 
is still observable. 

(3) By induction on the proof of P A P'. □ 
A. 7 Proof of lemma I3T1 

Most properties follow by routine verifications. We just highlight some points. 

(1) Recalling that P = L Q and P { implies Q [. 

(2) Condition (SI) entails conditions (PI), (P3), and (L2), while condition (S2) (with 
(51)) entails conditions (P2) and (£1). 

(3) Introduce a notion of normalised program where parallel composition associates to 
the left, all restrictions are carried at top level, and programs are removed. Then define 
a relation R where two programs are related if their normalised forms are identical up 
to bijective permutations of the restricted names and the parallel components. A pair of 
programs equated by the laws under consideration is in R. Show that R is a strong labelled 
bisimulation. 

(4) Show that {(P | S, Q \ S) \ P =l Q} is a strong labelled bisimulation where S is 
defined as in the statement. 

(5) Direct diagram chasing. 

(6) We reason up to =l. 

(7) We show {(Pi | Q, P2 I Q) I Pi =l P2} is a strong labelled bisimulation up to = L . 

Let us focus on condition (5*2). Let X — {s' | (Pi | P2) — ► •} and let S' be the parallel 
composition of the emissions (emit s) where s E X. Suppose (Pi | Q \ S) j. Then we note 
that Pi I Q I S = L (Pi I S' I S) I (Q I S' I S) and [Pi \ Q \ S\ = L [Pi \ S' \ S\ \ [Q \ S' \ 
S\ . A similar remark applies to P 2 | Q. Then we can conclude by reasoning up to =l. □ 

A. 8 Proof of lemma 1351 

(1) We show that the relation R =^ L U{( P | (emit s),Q \ (emit s) ) | P & L Q} is a 
labelled bisimulation up to We assume P ~^ Q and we analyse the conditions (PI — 3) 
and (LI - 2). 

(PI) Suppose P I (emit s) —* P' \ (emit s). If the action r is performed by P then 
the hypothesis and condition (Bl) allow to conclude. Otherwise, suppose P P'. Then 
we apply the hypothesis and condition (L2). Two cases may arise: (1) If Q A Q' and 
P' ~l Q' then the conclusion is immediate. (2) If Q =^ Q' and P 1 ~l Q' \ (emit s) then 
we note that Q' \ (emit s) =1 (Q' \ (emit s)) | (emit s) and we close the diagram up to =l- 
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(P3) Suppose P | (emit s) — > ■ and P | (emit s) 4J-i- If s = s' then Q | (emit s) — > • and we 

are done. Otherwise, it must be that P — > ■. Moreover, P J|l- Then P tt L Q and condition 

(P3) imply that Q => Q' •, and P m L Q'. Hence Q | (emit s) 4> Q' | (emit s) A • and 
we can conclude. 

(LI) Suppose S = (emit Sx) 1***1 (emit s n ). Define S' = (emit s) \ S. Then P m L Q and 
condition (LI) applied to 5" allows to conclude. 

s' s' 

(L2) Suppose P | (emit s) — > P | (emit s). Necessarily P — > P . Given P « L Q and 

s' 

condition (L2) two cases may arise: (1) Q =>- Q' and P' ~l Q'- Then the conclusion is 
immediate. (2) Q ^ Q' and P' ~£ Q' | (emit s'). Then Q | (emit s) 4> Q' | (emit s) and 
we observe that (Q 1 | (emit s)) | (emit s') =l (Q' | (emit s')) | (emit s) thus closing the 
diagram up to =l- 

(2) It is easily checked that the identity relation is a labelled bisimulation. Reflexivity 
follows. As for transitivity, we check that the relation k, l o k, l is a labelled bisimulation 
up to = L . 

(PI — 3, LI) These cases are direct. For (P3), recall proposition I29T 2) . 

(L2) Suppose Pi P 2 ~l P3 and P x A Pj\ Two interesting cases arise when either P 2 
or P 3 match an input action with an internal transition. (1) Suppose first P 2 => P 2 ' and 
Pi ~l P 2 I (emit s). By P 2 & L P 3 and repeated application of (PI) we derive that P 3 => P3 
and P 2 ~l P 3 . By property (1) the latter implies that P 2 | (emit s) ~^ P 3 | (emit s) and 
we combine with P 1 ^ L P' 2 | (emit s) to conclude. (2) Next suppose P 2 => P 2 A P 2 2 4> P 2 
and Pi ~l P 2 . Suppose that P 3 matches these transitions as follows: P 3 P 3 =>- P|, 
P 2 2 *=Si Pf I (emit s), and moreover P 3 2 | (emit s) 4> P 3 | (emit s) with P2 P3 | (emit s). 
Two subcases may arise: (i) P 3 2 P 3 . Then we have P 3 P 3 , P 2 ~l P 3 | (emit s) and we 
can conclude, (ii) P 3 2 => P 3 . Then we have P 3 4> P 3 and P 2 ~ l P 3 | (emit s) = L P 3 . 

(3) We show that {(us P, z/s Q) | P ~l Q} is a labelled bisimulation up to =l- 

(PI) If z/s P ^ P" then P" = vsP' and P A P'. From P ^ L Q and (PI) we derive 
Q ^ Q' and P' ~l Then us Q us Q' and we conclude. 

(P3) If us P ■ (s ^ s') then P 4 •. From P ^ L Q and (P3) we derive Q 4> Q', Q' ^> •, 
and P ~£ Q'. To conclude, note that us Q us Q' and us Q' 

(LI) Let S* = (emit si) | • ■ • | (emit s n ) with s ^ for i = 1, . . . , n. If ((us P) | S) j then 
(P I 5) |. From P ~l Q and (LI) we derive (Q \ S) ^ (Q' \ S), (Q 1 \ S) |, (P | S) ^ L 
(Q' I 5), and [P I SJ ~ jj IQ' \ S\. This implies that ((us Q) \ S) =4 ((^s Q') | 5) and 
((i/s Q') I S) |. We observe that ((us P) \ S) = L us (P | S), ((us Q') \ S) = L vs (Q' \ S), 
[(us P) I S\ =l vs [P I S\, and [(us Q') \ S\ =l us [Q ! \ S\. Then we can close the 
diagram up to =l. 

(L2) Suppose us P ^ P" . Then s ^ s' and P" = us P' with P 4 P'. From P ^ L Q 

s' s' 

and (L2) two cases may arise. (1) If Q =^ Q' and P' ~^ then us Q ^ us Q' and we 
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are done. (2) If Q Q' and P' Q' | (emit s') then us Q us Q' and we note that 
us Q' | (emit s') =l us (Q' | (emit s')) thus closing the diagram up to = L . 

(4) We show that R = {(P 1 \ Q, P 2 | Q) \ Pi ~l P^jU ~l is a labelled bisimulation up to 

=L- 

(£1) Suppose (Pi | Q) A P'. 

(Pl)[l] If the r transition is due to Pi or Q then the corresponding P 2 or Q matches the 
transition and we are done. 

(PI) [2] Otherwise, suppose Pi A P[ and Q A Q. 

(PI) [2.1] If P 2 A P' 2 and ~ l P' 2 then (P 2 | Q) A (P^ | Q) and we are done. 

(PI) [2.2] If P 2 A P^ and P[ ^ L (P^ | (emit s)) then (P 2 | Q) A (P^ | Q) and ((f* | Q) | 

(emit s)) =l ((P 2 I (emit s)) | g) so that we close the diagram up to =l- 

(PI) [3] Otherwise, suppose Pi A P 1 and Q A Q'. 

(Pl)[3.1] If -Pi U then by lemmaUHl -"(-Pi I Q) U, -(A I Q') ^, -Pa ^l, -(P 2 I Q) U- 
Therefore (P 1 \ Q') & L (P 2 | Q). 

(PI) [3.2] If Pi ^ L then P 2 A P 2 ' and P 1 ^ L P' 2 . Hence (P 2 | Q) A [P' 2 \ Q') and 
(Pi I Q') TZ (P> I Q>). 

(P3) Suppose (Pi I Q) U- 

(53) [1] Suppose Pi A Then P 1 ^ L and by (P3) P 2 A P^ A . and Pi ~ l P 2 '. Thus 

(P 2 I g) A- (P 2 I Q) A • and we can conclude. 

(P3)[2] Suppose Q A. Then (P 2 | g) A and we are done. 

(LI) Suppose (Pi I Q I S) J.. Then (Pi | S) j and from Pi & L P 2 we derive (P 2 | S") A 
(P 2 ' I S) I and (Pi I S) ~ i (P^ I 5). In particular, {s | P x | 5 A .} = { s \ P' 2 \ S A .}. We 
can also derive that (P 2 | Q \ S) A (P 2 | g | S 1 ), however (P 2 \ Q \ S) j may fail because of 
a synchronisation of P 2 and Q on some signal which is not already in S. Then we consider 

S' as the parallel composition of emissions (emit s) where (Pi | Q) — > ■. By lemma I3T1 we 
derive that: 

(0 (Pi I Q I S) = L (Pi I S I S') I (Q I S I 5') and 
(m) I Q I = i (P 2 , |5'| 1 S")|(g|5'|5"). 

We also observe that (Pi | S | 5") J,. Together with (Pi | S) ~£ (P 2 | S 1 ) this implies 
by (LI) (i* I 5 I S') A (P^' I S I S") I, (Pi I 5 I S') ^ L (P» I 5 I S'), and [Pi | 3 \ 
S'\ [P2 \ S \ S'\. Now it must be that \{P% \ S \ S') \ (Q \ S \ S')) | because the 
left component already emits all the signals that could be emitted by the right one (and 
vice versa . By conditions (SI - 2) and (ii) we have that (P 2 ' | Q \ S) A (Pf | Q \ S) | 
and (P 2 W I Q \ S) =l (P 2 \ S \ S') \ (Q \ S \ S'). To summarise, we have shown that 
(P a I Q I S) A (Pf I g I S) I, 

(Pi I Q I S) = L (P 1 \S\S')\(Q\S\ S>) K (P» \S\S')\(Q\S\S') = L (P 2 W \Q\S), and 
L^i I Q I S\ = L LPi I S I 5" I g I S I 5"J ^ LPf I 5" I 5" I Q | 1 S'\ = L \P' 2 " \Q\S\ 
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as required by the notion of labelled bisimulation up to =£. 

(L2) Suppose P l \Q^P[\ Q. 
(L2)[l] Suppose P l A Pf. 

(L2)[l.l] If P 2 4> P^ and P{ ~ £, P^ we are done. 

(L2)[1.2] If Px A P^ and P[ ^ L P^ | (emit s) then P 2 | Q A P' 2 \ Q and we note that 
(P^ | Q) | (emit s) = L (J* | (emit s)) \ Q. 

(L2)[2] Suppose Q A Q'. Then (P 2 | Q) A (P 2 | Q') and we are done. 
(5) Let Q = present s P B and Q' = present s P' B' . 
(PI) Note that -.(Q -A ■)• 
(P3) Note that -.(Q A •)• 

(LI) Suppose 5 = emit si | • ■ ■ | emit s n and that (Q \ S) |. Then s$ ^ s for i — 1, . . . , n 
and I 'S'J — d-^D{si,...,sn}- Note that (Q' | 5) j. too, and from the hypothesis P ~^ L>' 
we derive [Q \ S\ ^ L [Q 1 \ S\ = (|P|) {si ,..., M . 

(L2) The transition present s P B A P | (emit s) is matched by present s P' B' A P' | 
(emit s). By hypothesis, P m L P' and by (1), we derive P | (emit s) « L P' | (emit s). □ 

A. 9 Proof lemma 

(1) Condition (P3)^ is weaker than condition (P3). Therefore, P ~l Q implies P ~^ Q. 

(2) Reflexivity is obvious. For transitivity, as usual, we have to check that ~^ o is a 
j-labelled bisimulation. We focus on the new condition (P3)J-. Suppose Pi ~^ P 2 ^ ^3? 
P x |, and P l A -. By (P3) 1 , P 2 A P^ and P' 2 A .. By (P2), P 2 A i*', P^' |, and 
P l P^'. By confluence, P^ A f£ and P^' A •. By (Pl), P 3 A P^ and P^' J* By 

(P3)^, P^ A P^', P 2 " «i P^', and P 3 " A Thus we have that P 3 A P^, P% A -, and 
Pi pa* P 2 ' «]; Pg as required by condition {B2>y. 

(3) We check that: 

K = Id U {(P, Q) | P A Q or Q A P} 

is a labelled bisimulation up to =£, where Id is the identity relation. Thus P A Q implies 
P^lQ. By (1), P g and by proposition H3 £r(P) = £r(Q). 

(Pl) Suppose P A Pl. If P A Q then by confluence, either P\ = Q or 3Pi 2 Pi A 
P 12 and Q A P 12 . In the first case, Q =>■ Q and (Pi, Q) G 7?.. In the second case, Q A P 12 
and (Pi, P 12 ) G "P. On the other hand, if Q A P then Q A P x . 

(P3) Suppose P and P A •. If P A Q then Q A • and Q Q. On the other hand, 
if Q A P then Q A P. 

(LI) If P A Q then P | S J, is impossible. On the other hand, if Q A P and P | S j then 

g I s A p | s. 
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(L2) Suppose P ^ Pi. If P A Q then either P 1 = Q or 3 P i2 Pi A P i2 and Q A P 12 . In 
the first case, we have Q Q and Pi 1Z Q =l Q | (emit s). In the second case, Q =4> P i2 
and (Pi, P12) G TZ. On the other hand, if Q A P then Q 4> P x . 

(4) Obviously, the critical condition to check is (P3). By proposition EE] we can use the 
predicate JJ. rather than the predicate JJ-z,- So suppose Pi ~^ Qi, Pi — > ■, Pi P2, and 
P 2 I By (PI), Qj 4 Q 2 and P 2 4 Q 2 . By (£3)*, Q 2 ^ Q 3 , Q 3 ^ and P 2 Q 3 . By 
(3), Pi P 2 . By transitivity of «£, P x Q 3 . □ 

A. 10 Proof of lemma 1421 

(1) This follows from the remark that P | (emit s) — > P' if and only if P ^ P'. 

(2) We check the 5 conditions. 

(PI) If P A?' then tr(P) = tr(P'), by lemmaE]^). Thus Q ^ Q and (P', Q) G K. 

(P3) In view of proposition EHJ it is enough to check condition (P3)^. If P j and P A ■ 

then P ^? L-PJ an d s G O. Thus Q Q'- In particular, Q =k> Q", Q" A. By lemma 
EH3), *r(Q) = £r(Q"). Thus (P, Q") G ft. 

(LI) If P I 5 I then P Z 4? P' where I = {s \ S ^ ■}, P \ S ^ P", P" |, O = {s \ P" -4 ■}, 

and P' = LP"J- By (1), tr(P \ S) = tr{Q | S). Thus Q ^ Q' where Q | S 4> Q", Q" |, 
and Q' = LQ"J. Now {P",Q"), (P',Q') G ft since by lemma |Uj3) rr(P") = £r(P | 5) = 
tr(Q I 5) = *r(Q"). 

(L2) If P A P' then (P | (emit s)) A (P' | (emit s)) and by lemma 0U[3) £r(P | s) = 
£r(P' I (emit s)). Moreover, P' (P' | (emit s)) thus by proposition I3TH tr(P') = tr[P' \ 
(emit s)). By (1), £r(P | (emit s)) = £r(<2 | (emit s)). We can conclude by considering that 
Q 4> Q and (P', Q | (emit s)) G ft since fr(P') = fr(P' | (emit s)) = £r(P | (emit s)) = 
£r(Q I (emit a)). □ 
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